We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Tom Simonite

A View from Tom Simonite

An Epic Hack Performed With a Few Simple Tricks

The victim’s Apple devices suddenly went dark last Friday. Similar attacks remain possible.

  • August 7, 2012

Lax security practices by Apple and Amazon cost one journalist a year’s worth of photos and other data last Friday, in a chilling tale that’s a reminder that keeping data secure is far from a solved problem.

Mat Honan of Wired laid out what happened yesterday, explaining how he had all of his data wiped from his iPhone, iPad and MacBook using Apple’s remote wipe feature, which is intended to protect the data on a gadget if it is lost or stolen. Attackers got control of Honan’s Apple account by first taking advantage of a flaw in one of Amazon’s systems that gave them the last four digits of his credit card number. That and an email address was all that was needed to convince Apple to hand over control of his account. As Honan put it:

[T]he very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

Amazon changed its customer service policies today to prevent the trick that compromised Honan’s account, Wired reports. Apple has so far said little, apart from denying the existence of the loophole that got Honan hacked, which he claims he was able to replicate several times.

Honan’s Gmail account was also compromised as part of the attack, the goal of which was simply to wrest control of his three letter twitter account, @mat. Many people have blogged and tweeted today to say that Honan – and everybody else – should use Google’s two factor authentication, which is a more secure alternative to the traditional username and password. It involves using both a regular password and a one-time code generated by a phone app every time you log in.

Two factor authentication could have helped protect Honan, and could boost the security of many other services, too. But despite Google’s best efforts, it still feels clunky to use. The debut of NFC chips in phones might reduce the burden, though, and Intel showed off laptops at CES back in January that processed online payments by having a person tap their phone on a computer to authenticate. However, companies will still need ways to help people that forget their password to get back into their accounts. That means that we will remain at the mercy of various combinations of security questions and systems, like those that let Honan down, for a while yet. 

In general, the best advice available is to understand how the services you use protect your account, and adjust your security questions, passwords and back up emails accordingly. Also, to avoid losing data irretrievably as Honan did, to frequently back up your data in multiple places.

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.
Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.